New Failure Technique F109 for Issue #1918 Accessible Authentication needs better techniques #2990
Conversation
|
thanks @dan-hw :) |
|
Thanks for putting this together @dan-hw . |
…ation in response to @mbgower's helpful comment
|
Thanks @mbgower. This is a helpful clarification that's made me think through exactly what the failure is here.
I agree that 'prevent pasting' is a separate failure from what we are focussing on here. (Let me know if it's helpful for me to add another failure technique for this under this PR or a separate one - happy to do so). I was aiming to focus this technique on 'requiring specific characters in a string'. I've amended that in the commit above to make that focus clearer. I've also attempted to make clear that the failure is really about forcing users to enter the password in a different format from which it was originally created. I.e. Even if you are able to paste text into the fields in question, the fact that the password input is split across multiple fields in a way that it wasn't when the password was set up, means that password managers (or similar) can't take advantage of this ability to paste. This encompasses examples other than the "Enter the 2nd, 6th and last characters of your password", such as "A password input fieldset composed of elements that requires a user to select each character of a fixed-length password from individual dropdown fields". Edits gratefully received |
Co-authored-by: Dan Bjorge <dan@dbjorge.net>
dan-hw
requested review from
patrickhlauke and
dbjorge
and removed request for
alastc and
patrickhlauke
Clarifying example about passcode input spread across multiple fields Co-authored-by: Mike Gower <gowerm@ca.ibm.com>
It'll be faster to just keep this one separate, I think. The other one is going to be pretty fast to do once we get this one approved. I think we probably want to cover both the username and the password inputs? Failure of Success Criterion 3.3.8 and 3.3.9 due to preventing pasting in login inputsThe only technique I know for this is
TestsProcedureFor each input in a login process:
If step #1 is true, then this failure condition applies and content fails the Success Criterion. |
… passwords Co-authored-by: Mike Gower <gowerm@ca.ibm.com>
| <section id="tests"><h2>Tests</h2> | ||
| <section class="procedure"><h3>Procedure</h3> | ||
| <ol> | ||
| <li>Check if the structure of the input field(s) prevents the user from pasting or auto-filling the entire password or passcode in the format in which it was originally created.</li> |
There was a problem hiding this comment.
There needs to be some context-setting before the test bullets, for example, For each input field designed to accept a password...
| @@ -0,0 +1,33 @@ | |||
| <!DOCTYPE html><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> | |||
|
|
|||
| <head><title>Failure of Success Criterion 3.3.8 and 3.3.9 due to forcing transcription of individual password characters</title> | |||
There was a problem hiding this comment.
Is this title just saying "Failure of .... due to requiring manual entry of passwords"? Would that be simpler?
| <link rel="stylesheet" type="text/css" href="../../css/sources.css" class="remove"></head><body><h1>Failure of Success Criterion 3.3.8 and 3.3.9 due to forcing transcription of individual passphrase characters</h1><section class="meta"><p class="id">ID: F109</p><p class="technology">Technology: failures</p><p class="type">Type: Failure</p></section><section id="applicability"><h2>When to Use</h2> | ||
| <p>All technologies that require authentication.</p> | ||
| </section><section id="description"><h2>Description</h2> | ||
| <p>Requiring users to authenticate by entering a password or passcode in a different format from which it was originally created is a failure to meet Success Criteria 3.3.8 and 3.3.9 (unless alternative authenticaton methods are available). If a user is required to enter individual password characters across multiple fields, in a way that prevents pasting the password in a single action, it prevents use of a password manager or pasting from local copy of the password or passcode. This means users cannot avoid transcription, resulting in a <a href="../../understanding/22/accessible-authentication.html#dfn-cognitive-function-test">cognitive function test</a>. This applies irrespective of whether users are required to enter all characters in the string, or just a subset.</p> |
There was a problem hiding this comment.
| <p>Requiring users to authenticate by entering a password or passcode in a different format from which it was originally created is a failure to meet Success Criteria 3.3.8 and 3.3.9 (unless alternative authenticaton methods are available). If a user is required to enter individual password characters across multiple fields, in a way that prevents pasting the password in a single action, it prevents use of a password manager or pasting from local copy of the password or passcode. This means users cannot avoid transcription, resulting in a <a href="../../understanding/22/accessible-authentication.html#dfn-cognitive-function-test">cognitive function test</a>. This applies irrespective of whether users are required to enter all characters in the string, or just a subset.</p> | |
| <p>Requiring users to authenticate by entering a password (password, passcode, passphrase or any string of characters the user has to remember or record to authenticate) in a different format from which it was originally created is a failure to meet Success Criteria 3.3.8 and 3.3.9 (unless alternative authentication methods are available). If a user is required to enter individual password characters across multiple fields, in a way that prevents pasting the password in a single action, it prevents use of a password manager or pasting from local copy of the password or passcode. This means users cannot avoid transcription, resulting in a <a href="../../understanding/22/accessible-authentication.html#dfn-cognitive-function-test">cognitive function test</a>. This applies irrespective of whether users are required to enter all characters in the string, or just a subset.</p> |
|
I'm closing this PR as there are conflicts I can't resolve. Nothing wrong with the work, it's just because it's an external branch. We can continue over in #3174 |
#1916